Channels

Services

Update closes critical Safari hole on Mac OS X

A simple JavaScript command launches arbitrary programs on a Mac running on Lion
The update to Mac OS X 10.7.2 not only brings iCloud, but also closes a number of critical security holes – and at least one of them is particularly serious. Mac users should therefore update as soon as possible.

The update to Safari 5.1.1 closes numerous holes, but the one with the ID CVE-2011-3230 is especially critical – firstly, because it is very easy to exploit, and secondly, because public demonstrations of it are already in circulation. At its simplest, a web site can use a basic JavaScript command to launch arbitrary programs on Macs. The attack is possible because LaunchServices doesn't handle local file://URLs properly and instead launches the assigned program.

Aaron Sigel, who discovered the hole, says that he informed Apple of the problem; he has since published demo code. In a brief test conducted by The H's associates at heise Security, the attack worked quite well and was successfully used to launch the netstat command and display the local /etc/passwd file. The problem is reproducible both on Lion and Snow Leopard. Infecting a computer with malicious software would not necessarily be a simple matter, because the program has to already be on the target system and it is not clear how a program can be controlled to conduct specific actions. But it is a safe assumption that attackers will find out how this can be done. The Windows version of Safari is not apparently vulnerable.

However, anyone using Lion's hard drive encryption (FileVault) will have to be careful. An increasing number of reports indicate that such systems no longer boot after the Mac OS X update. And those who use Symantec's PGP encryption software without file encryption can apparently also expect to have problems. At present, it is not quite clear why that is, but as soon as The H knows of a risk-free way of installing the updates, the information will be published here.